Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:62975 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 15150 invoked from network); 13 Sep 2012 12:04:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Sep 2012 12:04:39 -0000 Authentication-Results: pb1.pair.com smtp.mail=nicolas.grekas@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nicolas.grekas@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.170 as permitted sender) X-PHP-List-Original-Sender: nicolas.grekas@gmail.com X-Host-Fingerprint: 209.85.210.170 mail-iy0-f170.google.com Received: from [209.85.210.170] ([209.85.210.170:53032] helo=mail-iy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DC/EB-34511-6DBC1505 for ; Thu, 13 Sep 2012 08:04:38 -0400 Received: by iamm10 with SMTP id m10so2378025iam.29 for ; Thu, 13 Sep 2012 05:04:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=T1QQ0gML1ZDHo0xJaDJATn+rtLgnWmu+v/BOL4kL/2A=; b=spetpr3/r4YGUCKe07Rgm4ROA8SPzq5gfrYy0IlElS7Y68KDBdK2OU2rIL+yaPzplD 3eTMXOcFYlNWa8tptC3n5FixeNGQ+Non9ZuDAP7VRWKCh+jF0Q0LQ8ma/H7OT1Co/RPy EQgtInyvjjnabZfL1XoMt98FdR5NVZ5zDVTU5BAjYMOL3mRGXTEOLEHaVxsOgyxiQRK5 VGXoyBpNYfTlKTuAhlCKznBbVsy0ey39RQnv9LXplO2DpjrszcqecxECAZJC92xVSnf2 45DMnHzIFbubGfDnXxFYqUgap23cnQVDQ3LCnxMFIKt92rB2HFzAICQaTH1z0Z5rDPVA W61w== Received: by 10.50.194.130 with SMTP id hw2mr24360356igc.64.1347537876050; Thu, 13 Sep 2012 05:04:36 -0700 (PDT) MIME-Version: 1.0 Sender: nicolas.grekas@gmail.com Received: by 10.64.104.99 with HTTP; Thu, 13 Sep 2012 05:04:15 -0700 (PDT) In-Reply-To: References: Date: Thu, 13 Sep 2012 14:04:15 +0200 X-Google-Sender-Auth: RZ3ds7OnWP7ico0SSuBUZAY1D5w Message-ID: To: Anthony Ferrara Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary=14dae9340bc76c627a04c9941ca3 Subject: Re: [PHP-DEV] How about adding PHPass compatibility to the password hashing API From: nicolas.grekas+php@gmail.com (Nicolas Grekas) --14dae9340bc76c627a04c9941ca3 Content-Type: text/plain; charset=ISO-8859-1 > > With respect to adding those algorithms for generating hashes, I'm 100% > dead set against it. > Ok, I understand and agree, generating hashes for weaker algos is not a good idea. The point I wanted to address was forward/backward compatibility with existing password databases that use PHPass : > The way password_verify is implemented, it can use any crypt(3) generated > hash for verification. > So forward/backward backward compatibility is granted for CRYPT_EXT_DES, well done. Still, for md5 based hashes ($P$/$H$ prefixes), crypt() doesn't work. What about handling these schemes only in password_verify() ? I think that could help a lot on adoption rate for the new API, easing the transition for current phpass users. Nicolas --14dae9340bc76c627a04c9941ca3--